Security Advisory YSA-2025-02
Security Advisory YSA-2025-02 – FIDO PIN/UV Auth Protocol Two Out of Conformance
Published Date: 2025-04-02
Tracking IDs: YSA-2025-02
CVE: CVE-2025-29991
CVSS: 2.2
Summary
A low severity issue has been identified in YubiKeys versions 5.4.1 through 5.7.3 in the FIDO CTAP PIN/UV Auth Protocol Two implementation. These YubiKey versions use the 16 byte signature length from CTAP PIN/UV Auth Protocol One during the verification step, even when the 32 byte CTAP PIN/UV Auth Protocol Two signature was expected. This issue is addressed in YubiKey version 5.7.4.
Exploiting this issue would be difficult as there are additional protections in the protocol and the signature length from CTAP PIN/UV Auth Protocol One still provides significant security control. Due to the level of effort required to exploit this issue, existing mitigations on both the YubiKey and in the FIDO protocol, this is a low severity issue.
For more details see Issue Details section below.
Affected Devices
YubiKey 5 Series versions 5.4.1 through 5.7.3
YubiKey 5 FIPS Series versions 5.4.1 through 5.7.3
YubiKey 5 CSPN Series version 5.4.2
YubiKey Bio Series versions 5.5.0 through 5.7.3
Security Key Series versions 5.4.1 through 5.7.3
Not Affected Devices
YubiKey 5 Series versions 5.4.0 and older and versions 5.7.4 and newer
YubiKey 5 FIPS Series versions 5.7.4 and newer
YubiKey Bio Series versions 5.7.4 and newer
Security Key Series all versions 5.4.0 and older and versions 5.7.4 and newer
All YubiHSM 2 versions
All YubiHSM 2 FIPS versions
How to Tell if You Are Affected
To identify the YubiKey, use Yubico Authenticator to identify the model and version of the YubiKey. The series and model of the key will be listed in the upper left corner of the Home screen. In the following example, the YubiKey is a YubiKey 5C NFC version 5.7.0.

Customer Actions
Mitigation
To help avoid local and physical threats, users should continue to exercise due diligence when installing software on their devices and maintain control of YubiKeys.
Issue Details
FIDO implementations consist of a Relying Party (e.g. website), Client (browser/operating system), and Authenticator (e.g. security key). PIN/UV Auth Protocol is a CTAP mechanism for performing PIN authentication between Client and Authenticator without exchanging the PIN in cleartext.
As part of the verification step of PIN/UV Auth Protocol (see verify(key, message, signature) in this section of the CTAP PIN/UV Auth Protocol definition), an HMAC-SHA-256 signature must be sent by the platform to the authenticator with each command where user verification is to be performed. This signature must be 16 bytes long in PIN/UV Auth Protocol One and 32 bytes long in PIN/UV Auth Protocol Two.
Affected versions of the YubiKey verify 16 bytes of the signature regardless of which version of the protocol is being used.
Severity
Yubico has rated this issue as Low. It has a CVSS score of 2.2
Timeline
October 22, 2024 | Yubico informed by Robby Cornelissen, Head of Research at International Systems Research Co. (isr.co.jp) |
April 01, 2025 | YubiKey 5.7.4 release available |
April 02, 2025 | Yubico releases advisory YSA-2025-02 |